Passkeys can still authenticate the wrong endpoint if organisations do not control device provenance. The cryptography remains strong, but the governance model weakens because login approval may occur on unmanaged or compromised devices. That creates assurance gaps in recovery, revocation, and auditability, especially where users can synchronise credentials across multiple endpoints.
Why This Matters for Security Teams
Passkeys improve phishing resistance, but they do not solve endpoint governance by themselves. If a passkey is approved on an unmanaged laptop, a jailbroken phone, or a compromised browser profile, the authentication event can still be valid while the device posture is not. That is why passkey rollouts need the same governance discipline described in Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the control thinking in the NIST Cybersecurity Framework 2.0.
The core problem is assurance. A passkey proves possession of a credential bound to a device, but it does not automatically prove that the device is corporate-managed, healthy, or appropriate for the transaction. Without endpoint inventory, device compliance checks, and revocation workflows, organisations can end up with strong authentication and weak access governance at the same time. That gap becomes more serious where passkeys sync across multiple endpoints, because recovery and audit trails can become fragmented across personal and corporate devices.
NHIMG research has repeatedly highlighted how control gaps accumulate around identity lifecycle and oversight, not just around the credential itself. In practice, many security teams encounter endpoint trust failures only after an account review, incident response, or help desk recovery event has already exposed the gap, rather than through intentional device governance.
How It Works in Practice
Endpoint governance for passkeys starts with knowing which devices are allowed to hold or use them, then enforcing that decision at enrollment, sign-in, and recovery. The best current guidance suggests treating the endpoint as part of the authentication trust chain, not as an invisible transport layer. That means device inventory, MDM or EDR posture checks, OS patch thresholds, screen-lock rules, and remote wipe capability should be evaluated alongside the passkey assertion.
For mature environments, this usually looks like a set of linked controls:
- Require managed devices for high-risk applications or privileged workflows.
- Bind passkey registration to verified device provenance and user context.
- Use conditional access to re-check device health at each sensitive transaction.
- Limit recovery paths so an attacker cannot add a new device through weak help desk verification.
- Log device identifiers, attestation signals, and recovery actions for auditability.
That approach aligns with lifecycle governance covered in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and with the visibility problems highlighted in The State of Non-Human Identity Security. The operational lesson is that passkeys reduce credential replay risk, but they do not remove the need to govern where those credentials can be created, synced, and used. This becomes especially important for privileged users, contractors, and any environment that allows cross-device sync into consumer ecosystems. These controls tend to break down when organisations allow self-service registration on personal endpoints because provenance and compliance evidence are no longer consistently available.
Common Variations and Edge Cases
Tighter passkey governance often increases user friction and support overhead, so organisations have to balance usability against endpoint assurance. That tradeoff is real, especially for bring-your-own-device programs, executives who travel constantly, and teams that rely on federated access across multiple business units.
There is no universal standard for this yet, but current guidance suggests three common patterns. First, high-trust roles should use managed endpoints only, with passkey enrollment restricted to corporate devices. Second, lower-risk users may use synced passkeys on personal devices, but only if conditional access, device attestation, and recovery controls are strong. Third, recovery should be treated as a privileged workflow, because account reset often becomes the easiest way to bypass endpoint checks.
The most common edge case is a device that was compliant at enrollment but later falls out of policy, such as when security software is removed or the operating system becomes unsupported. Another is shared devices, where the passkey may authenticate the right person at the wrong endpoint context. NHIMG’s Top 10 NHI Issues reinforces the broader principle: strong identity controls fail when lifecycle enforcement is inconsistent. In practice, passkey deployments break down most often in mixed-device environments where recovery, sync, and audit requirements are not designed together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Passkeys still need proof of trusted device context and recovery governance. |
| NIST SP 800-63 | AAL2 | Passkeys can meet strong auth levels, but device assurance remains separate. |
| NIST Zero Trust (SP 800-207) | SP 5 | Zero Trust requires continuous verification of device and session trust. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Passkeys on unmanaged endpoints create governance and lifecycle gaps. |
| NIST AI RMF | GOVERN | Endpoint governance is an assurance and accountability problem across identity workflows. |
Pair authenticator strength with endpoint provenance and recovery controls before treating access as trusted.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org